War in the Modern World

On Cyberwar, Blizzard War and Buzzwords in General

We are, if you haven’t noticed, in the midst of a cyber-scare. Pretty much everywhere from Washington to Beijing to London you will find some public official talking loudly about cyber threats of one sort or another. For me it brings to mind nothing so much as Stanley Baldwin’s famous House of Commons speech (helpfully transcribed and brought to you on the web in full on the Airminded blog) in November 1932 in which he warned:

I think it is well also for the man in the street to realise that there is no power on Earth that can protect him from being bombed, whatever people may tell him. The bomber will always get through…

Likewise, in recent testimony to the Senate Armed Services Committee incoming CIA Chief Leon Panetta predicts that ‘the next Pearl Harbor that we confront could very well be a cyberattack that cripples’ America’s electrical grid and its security and financial systems.

But, you know, as strategists it is important to get altitude on the existential threat du jour and ask is the current phreak-out really justified? My answer: no. The panic is understandable and predictable because it has happened before in history many times in response to other technological changes. I think Bruce Sterling’s sage observation in his book The Hacker Crackdown is very apposite on this point:

For the average citizen in the 1870s, the telephone was weirder, more shocking, more ‘high-tech’ and harder to comprehend, than the most outrageous stunts of advanced computing for us Americans in the 1990s. In trying to understand what is happening to us today, with our bulletin-board systems, direct overseas dialling, fiber-optic transmissions, computer viruses, hacking stunts, and a vivid tangle of new laws and new crimes, it is important to realize that our society has been through a similar challenge before–and that, all in all, we did rather well by it.

In short, calm down. Have a nice cup of tea. Some of the apparent consternation about cyberspace is perhaps explained by Marshall McLuhan who, drawing on Søren Kierkegaard’sThe Concept of Dread(1844), observed in 1967 that ‘wherever a new environment goes around an old one there is always new terror.’

This is a wise basis upon which to develop a strategic sensibility about cyberspace which, frankly, looks rather discombobulated at the moment. Whether the technology is the printing press, telegraph, telephone, television or the internet the contemporary ‘shocks of the new’ have tended, in time, to be absorbed and normalized by the species. I wouldn’t deny the transformative effects of technology, nor their potentially deleterious impact on the status quo of human social and political affairs, including war, but it is important, as strategists, to maintain a degree of perspective on events and processes that at close hand appear as existential threats yet with respectful distance and consideration take on different hues.Cyberspace alters much but it doesn’t change everything. Moreover, I suspect it changes things militarily much less than is frequently supposed. [Edit: For one thing, I think its effect on military asymmetry is far less than is supposed. Most new military technologies end up making strong powers stronger and weaker ones weaker. I don’t see why that would not be the case here too.]

That said, there was another thing which caught my eye in Panetta’s speech that is noteworthy:

This is a time of historic change. We are no longer in the Cold War. This is the Blizzard War – a blizzard of challenges that draws on speed and intensity from rapidly developing technologies and the rising number of powers on the world stage.

Is this the newest rebranding of the GWOT/SAVE/Long War/whatever in Washington? It’s the first I’ve heard it. Can I be the first in the blogosphere to say cut it out? Death to buzzwords! The field of strategic studies is beset with neologisms and hyphenated war-types which are pointless and distracting.

I had mentioned in another post that I once served as the operations officer at the strategic communications center for a major U.S. theater command. During that time we developed a computer system to automate terminal operations (from teletype punch tape to CRT workstations). The security people were most unhappy with us in that they were not confident in our ability to safeguard highly classified data on devices emitting that much RF signal. They spent several months ‘hacking’ our facility while we worked on the new system. Each time they found a vulnerability, we fixed it. I wish I could tell you of some of the more inventive attacks they used.

I particularly liked their motto: “If I can do it, Ivan can do it” alluding to the Soviets of course. It was a very conserative stance and I doubt that anyone was capable of doing all that they could, however it is better to be safe than sorry.

Data systems are far more important now than then and, yes, there are even greater consequences to cyber attacks. No, we should not stay awake at nights fretting over the possibility. I suspect that our cyber-freaks still hold the high ground and are even more vigilant than then. I simply think it is more prudent to allocate defense funds for their worthy work than in building great machines to fight some high-tech version of WWII.

I think FRES is a British buzzword (Future Rapid Effects Systems), but not sure. The US called their version Future Combat Systems (FCS).

Cyberwar is indeed a very real and very difficult threat that we would do well to take very seriously, as you state. And I like to think we still hold the cyber high ground. . .but for how long?

Cyber-attacks are unrelenting and on-going, and most attacks against the US are from China and North Korea.

The challenge is not so much to protect “government” systems solely, but to protect the entire system/population from threats.

To cause wide-spread chaos, there is nothing like taking down email, on-line commerce, shutting down sat-navs, stealing identities and maxing out hundreds of thousands of personal credit cards and disabling electronic card readers of all types.

And how to deal with Aunt Edna in North Dakota. Aunt Edna in North Dakota does on-line banking and she doesn’t have adequate protections on her computer. Hackers/threats find her and use her as a portal to launch back-door attacks. Those attacks may proceed thusly: access to her on-line bank opens the door to local, state and federal government accounts that use that bank, and using the banks “trusted” accounts through the interconnected local, state and federal portals, attacks are launched on critical institutions/infrastructure. With that sort of access, using software to achieve “soft” damage is easily done, as is using software to achieve direct and ancillary kinetic effects.

So, how do you protect a national infrastructure that is electronically interconnected when a vast majority of the population do not have adequate fire-walls and sophisticated protections? Pass a law mandating everyone with access to the net obtain and maintain government approved software protections? Not in a free society would anyone accept that. Talk about Big Brother.

There used to be a requirement that I knew of where a classified net required an “air gap” between it and an open, unclassified, net. However, there are technology and programming protections that are making this requirement (allegedly) obsolete. I saw a demonstration of this capability just over a week ago and I must say it is impressive. However, I remain unconvinced it is “unhackable” and able to withstand unknown threats and ensure protections at the same level (or better) than an air-gap.

(As a side note, nuke nets will remain stand-alone. . . .for now. . .and I personally hope it remains that way forever).

Strategy challenge as I see it will be to develop a national approach to defenses against cyber-threats. And when doing so, many factors need to be addressed, such as identifying cyber-threats of all types, determining who and where they are from, to how do you protect and respond, if you respond at all, and finally, at what level will a cyber-attack become an act of war as opposed to a criminal act of reckless virtual vandalism?

Other questions demand answers, too. Is a dedicated lone hacker taking down a defense net someplace a legitimate target to hack-back and blow up his monitor and melt his hard-drive? Is a room full of Chinese hackers, operating with Chinese government approval, is this an act of war. . . do we consider a cyber-attack emanating from a nation that controls net access a government-sponsored attack?

And what of telecommunication laws that control our response to hacker/cyber-attacks? In the states we are primarily operating under telecommunication laws written in the 30’s, and those laws were aimed at wiretapping. Wiretapping laws are hardly a good fit when dealing with the cyber-word.

Do we need to establish a Cold War type of MAD strategy to deal with the threat? Flexible Response? Is that even possible?

So many issues that need to be addressed, so many questions that need to be answered before we can even begin to build a viable strategy on cyber-war.

What to do? For me, as a victim of attempted ID-theft and the hassles that caused (and continues to cause), I prefer the General “Stonewall” Jackson approach. At the Battle of Fredricksburg, a Confederate soldier came up to General Jackson and asked how to get the Union soldiers to stop shooting. Jackson’s reply was reported to be; “Kill them! Kill them all!” Works for me.

Although telephone technology appeared to have a relatively low impact on conflict on its introduction, I’m not sure it necessarily follows that other communication technologies will be similarly inert. It seems to me that we are not comparing like with like. Telephone technology, in particular, did not have a directly offensive use, unless one counts prank calls. Cyber-technologies, on the other hand, do.

If one accepts this proposition: that cyber technology can be used in direct offense, then I think one also has to accept that it could still be a game-changer in ways we have not necessarily anticipated. This is the strategic ‘wild card’ view.

To cite a good example of another techno-scientific wild card, nuclear deterrence has fundamentally shaped the world in which we live today, and for the duration of the Cold War was perhaps the prime determinant of how conflict played out. Indeed, this is even still true today to a significant extent. But how accurately could these developments have been predicted just ten or twenty years before they occurred? Even if they had been predicted, how fully could the implications have been mapped? We can apply the likely answers to these questions to other nascent technologies we see around the globe now, such as nanotechnology or genetic modification, and – yes – cyber technology. Atomic energy set the agenda for an entire security era. Given the exponential rate of scientific progress we can expect to see similar developments, and perhaps sooner than we think. Cyber technology is still very much in that game.

Mr Betz
As I was reading the above ABC radio news informed me that the CIA systems were comprehensively hacked into today – ‘LOLSEC’, or something – just for laughs.
A better way of putting that is – they’ve finally noticed that someone has been ‘reading over their shoulders’.
Another matter – this lump of junk I’m thrashing away at has been in dock for the last week
Started it up a few minutes ago – a week’s plus worth of e-mails to sort out – the majority of them from quasi defence sources.
Some are genuine – invites to spend more money attending seminars – newsletters, info updates, requests for info and the like.
As usual some are new – never heard of ‘em before.
I’m sure the various defence organizations are snowed under with the same sort of stuff to the extent that most would automatically be filed vertically.
Or would it?
At some stage malicious stuff has to get through or around the best security systems like the aforementioned bombers.

And then there are mistakes –
A few years ago I was provided a certain project name – just go and ‘google’ it – I was advised by phone from a contact at Russell Offices, Canberra.
So I did – and after a bit of digging looking for the ‘Sec Unclass’ information I’d been assured I’d find there – down the screen rolled all the daily orders for the ADF.

All that, of course, was as interesting as watching paint dry but not at all the point.
Let’s just say that when I contacted defence next day to advise them about their breach of security I was as impressed with their casual response as I was with their stuff up.

I’d like to believe they are doing better these days – but I doubt it.
I doubt it ‘cos they’d be buying their systems from the USof A, naturally for interoperability considerations.

Which rolls back to how I started this comment with the news bulletin announcing that the CIA has been hacked into.

The hack was into the unclass, open-source webpage. You know, the one that is at http://www.cia.gov. It was not the intranet nor the “other” nets that they, and others, share classified data.

That said, it is surprising that the open-source webpage was hacked into.

However, maybe not.

Who’s to say they did not monitor who was probing and hacking “in,” and then using that information to track and monitor those sources, and perhaps hack-back and do a little stuxnet worm planting of their own. Let LulZec brag all they want, but just as access to Aunt Edna’s internet accounts can open doors, so can hacking-back.

Great post, Dave. Really enjoyed the presentation to which you linked, and can hardly wait to read the book.

I am sympathetic to your comparison of airpower and cyberpower: hypberbolic, mythic, etc.

One question: Do you think that this hype will endure, as it has around airpower? Or will cyberwar, etc. become integrated into other understandings of war and conflict, like, say, radio communications has?

Thanks, FB. I think that your question is an apposite one. I think that if ever we create a distinct cyber-service, whatever it might be called, ‘the cybernauts?’ ‘Cybertry?’, then you can expect the same sort of thing to happen. The new service will be forced by bureaucratic necessity to carve out a niche and identity for itself separate from the others. This will be a mistake, in my view. So far this has been resisted–we have instead joint cyber commands–which seems to me not a bad outcome. In twenty years I think it will be like electronic warfare totally integrated across the domains of warfare (another issue of mine is that cyber is not a domain of warfare). Overall, however, I would emphasize that the impact of cyber is far less significant on military operations than it is in broader societal terms which is why all this talk of cyberwar really bugs me. It misses the point, the really important effects are subversive.

The post demonstrates that cyber warfare is the newest threat to global stability, in terms of state via state ( I.E Chinese government versus American government) , or group ( I.E Anonymous targeting a state such as Egypt) via state warfare. It reminds me of the same panic that went through Londoners when people said that one day the streets of London would be too congested because of the amount of horse poo. Horse drawn carriages being the primary form of transportation in that age. It would definitely seem in the CIAs interest to spread and talk about the threat of cyber warfare as it would give legitimacy to a increasingly bigger budget, and resources available to the agency. Looking at US foreign and domestic policy it would not be the first time threats have been blown out of proportion to achieve the agencies objective over the common interest.